Details

Description

Recently Tomcat (>=8.5) began shipping with rules that cause it to reject requests in which the URL oath and query components are not correctly URI encoded. The w10n protocol utilizes a syntax which employs the square brackets as part of the URL path. Using % encoding on the square brackets in the URL did not resolve the problem - Tomcat returns a 400 stays header and nothing more.

Example:

This URL will be blocked by modern Tomcat because of the square brackets: